CMP-4354: Reviving profile test jobs on rhcos10

[Anna-Koudelkova]

Node and platform tests using RHCOS 10 has some issues, so we have decided to revert back to using the profile tests to map the behavior of rules on RHCOS 10 cluster

Summary by CodeRabbit

This PR updates ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml to improve ComplianceAsCode testing coverage for RHEL-10/RHCOS10 by adding profile-based end-to-end remediation jobs (to validate rule behavior on RHCOS10), alongside existing platform/node compliance jobs.

It:

• Adds a top-level base_images block for the 4.22 cli, dev-scripts, and installer images.
• Introduces a FIPS-specific install/config chain (ipi-aws-pre-fips) and updates existing RHCOS4 FIPS AWS jobs (e2e-aws-rhcos4-moderate, e2e-aws-rhcos4-high, e2e-aws-rhcos4-stig) to use pre: chain: ipi-aws-pre-fips instead of the prior ipi-aws-pre + fips-check flow.
• Adds new IPI AWS profile remediation jobs targeting OS_IMAGE_STREAM: rhel-10 with *-rhcos10 naming. These jobs run TestProfileRemediations with PROFILE/PRODUCT set per profile variant (including moderate/high/BSI/PCI-DSS/CIS/STIG plus e8 and nerc-cip), typically with FEATURE_SET: TechPreviewNoUpgrade, OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest, and (for FIPS variants) pre: chain: ipi-aws-pre-fips and FIPS_ENABLED: "true".
• Adds a new bare-metal intranet STIG remediation job for RHCOS10, e2e-metal-ds-ipi-ovn-rhcos4-stig-rhcos10, enabling OVN + FIPS, setting DEVSCRIPTS_CONFIG, and running the metal rehearsed workflow with the appropriate pre sequence (including fips-check).
• Leaves existing RHCOS10 platform/node compliance job entries in place (e2e-aws-openshift-platform-compliance-rhcos10 and e2e-aws-openshift-node-compliance-rhcos10), which still run TestPlatformCompliance/TestNodeCompliance.

Additionally, it adds/updates step-registry support for the FIPS pre chain and FIPS-compatible SSH keys (new step-registry YAML/metadata, updated OWNERS approvers, and a new ipi-conf-fips-sshkey-commands.sh script).

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

The change adds a new FIPS SSH key preparation step, updates existing FIPS AWS pre-steps to use it, and adds new RHEL-10 ComplianceAsCode jobs for AWS and baremetal IPI testing.

Changes

FIPS SSH key setup and RHEL-10 jobs

Layer / File(s)	Summary
FIPS SSH key step ci-operator/step-registry/ipi/aws/pre/fips/*, ci-operator/step-registry/ipi/conf/fips-sshkey/*	Adds the ipi-aws-pre-fips chain, the ipi-conf-fips-sshkey step and script, and the related ownership metadata.
ComplianceAsCode job config ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml	Adds base images, switches existing FIPS AWS jobs to ipi-aws-pre-fips, and defines new AWS and baremetal RHEL-10 job entries.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

rehearsals-ack

Suggested reviewers

• hector-vido
• Prucek
• taimurhafeez

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New rhcos10 jobs clone ocp4e2e from github.com, creating a public-internet dependency for disconnected CI.	Mirror ocp4e2e to an internal source or image stream and remove public GitHub fetches from the new jobs.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: restoring profile-based test jobs for RHCOS 10.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo titles were added or changed; the touched files only contain static ci-operator job names and shell/YAML steps.
Test Structure And Quality	✅ Passed	PR changes CI config and step-registry scripts only; no Ginkgo It/BeforeEach/Eventually test code is present to evaluate.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the patch is CI YAML and shell helpers only, with no It/Describe/Context bodies to audit.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only changes CI config and step-registry scripts; no new Ginkgo test bodies were added, so there are no SNO assumptions to flag.
Topology-Aware Scheduling Compatibility	✅ Passed	Touched files are CI configs and step-registry scripts only; no deployment manifests, controllers, or scheduling constraints were added.
Ote Binary Stdout Contract	✅ Passed	No OTE binary or suite-setup code changed; the only stdout writes are in a ci-operator shell step, which is outside this contract.
No-Weak-Crypto	✅ Passed	PASS: The changes only add FIPS-oriented CI config and ssh-keygen usage with ecdsa/rsa; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons were added.
Container-Privileges	✅ Passed	No changed manifest contains privileged:true, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation:true, or root securityContext settings; only CI-level capabilities: intranet appears.
No-Sensitive-Data-In-Logs	✅ Passed	Only benign status/public SSH-key output is logged; no passwords, tokens, PII, internal hostnames, or customer data appear in logs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

🧹 Nitpick comments (3)

ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml (3)

849-849: ⚡ Quick win

Consider removing set -x for consistency and security.

The set -x directive enables command tracing, which logs all executed commands with their arguments to CI logs. Per coding guidelines for step registry scripts, debug tracing should only be enabled when actively debugging, and the default should be set -euo pipefail without -x. While this test script doesn't handle secrets directly, enabling trace mode is inconsistent with the other 10 jobs in this PR and can inadvertently leak sensitive information.

♻️ Proposed fix to remove debug tracing

-        set -x
         export PROFILE=bsi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml`
at line 849, Remove the `set -x` directive from the script block that enables
command tracing, as it logs all executed commands with arguments to CI logs
which can inadvertently leak sensitive information. Replace it with `set -euo
pipefail` to enable proper error handling and exit on undefined variables, which
aligns with the security guidelines and provides consistency with the other 10
jobs in this PR.

Source: Coding guidelines

---

924-953: ⚡ Quick win

Consider removing set -x for consistency and security.

The set -x directive enables command tracing, which logs all executed commands with their arguments to CI logs. Per coding guidelines for step registry scripts, debug tracing should only be enabled when actively debugging, and the default should be set -euo pipefail without -x. While this test script doesn't handle secrets directly, enabling trace mode is inconsistent with the other 10 jobs in this PR and can inadvertently leak sensitive information.

♻️ Proposed fix to remove debug tracing

-        set -x
         export PROFILE=nerc-cip

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml`
around lines 924 - 953, Remove the `set -x` directive from the commands section
in the test step of the e2e-aws-rhcos4-nerc-cip-rhcos10 job. The `set -x`
enables debug tracing which logs all executed commands and can inadvertently
leak sensitive information in CI logs. Replace it with `set -euo pipefail` which
is the standard for step registry scripts to ensure consistency across all jobs
in this PR and to follow security best practices.

Source: Coding guidelines

---

879-879: ⚡ Quick win

Consider removing set -x for consistency and security.

The set -x directive enables command tracing, which logs all executed commands with their arguments to CI logs. Per coding guidelines for step registry scripts, debug tracing should only be enabled when actively debugging, and the default should be set -euo pipefail without -x. While this test script doesn't handle secrets directly, enabling trace mode is inconsistent with the other 10 jobs in this PR and can inadvertently leak sensitive information.

♻️ Proposed fix to remove debug tracing

-        set -x
         export PROFILE=e8

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml`
at line 879, Remove the `set -x` directive from the script as it enables command
tracing that logs all executed commands to CI logs, creating inconsistency with
the other 10 jobs in the PR and potentially leaking sensitive information.
Replace it with `set -euo pipefail` to follow the standard coding guidelines for
step registry scripts where debug tracing should only be enabled when actively
debugging, not by default.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml`:
- Line 849: Remove the `set -x` directive from the script block that enables
command tracing, as it logs all executed commands with arguments to CI logs
which can inadvertently leak sensitive information. Replace it with `set -euo
pipefail` to enable proper error handling and exit on undefined variables, which
aligns with the security guidelines and provides consistency with the other 10
jobs in this PR.
- Around line 924-953: Remove the `set -x` directive from the commands section
in the test step of the e2e-aws-rhcos4-nerc-cip-rhcos10 job. The `set -x`
enables debug tracing which logs all executed commands and can inadvertently
leak sensitive information in CI logs. Replace it with `set -euo pipefail` which
is the standard for step registry scripts to ensure consistency across all jobs
in this PR and to follow security best practices.
- Line 879: Remove the `set -x` directive from the script as it enables command
tracing that logs all executed commands to CI logs, creating inconsistency with
the other 10 jobs in the PR and potentially leaking sensitive information.
Replace it with `set -euo pipefail` to follow the standard coding guidelines for
step registry scripts where debug tracing should only be enabled when actively
debugging, not by default.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0ffb646c-6a32-4f6e-88d8-108f5a6904eb

📥 Commits

Reviewing files that changed from the base of the PR and between 283ad93 and fc672f8.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-bsi-node-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-high-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-high-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci-robot]

@Anna-Koudelkova: This pull request references CMP-4354 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Node and platform tests using RHCOS 10 has some issues, so we have decided to revert back to using the profile tests to map the behavior of rules on RHCOS 10 cluster

Summary by CodeRabbit

This PR extends the ComplianceAsCode content CI configuration to introduce profile-based end-to-end tests for RHCOS 10 clusters. The change adds 13 new test job definitions that validate compliance profiles (including STIG, PCI-DSS, CIS, BSI, and others) against both OCP4 and RHCOS4 products in RHEL-10/RHCOS-10 environments.

Each new test job:

• Runs on IPI AWS infrastructure
• Targets specific compliance profiles with -node suffix variants for OCP4
• Includes FIPS enablement (for most profiles) and enforces FIPS prerequisites via pre-steps
• Uses the latest nightly release stream for installation
• Executes the TestProfileRemediations validation against the compliance content

This represents a shift to profile-based testing for RHCOS 10 validation, replacing the previous Node and platform test approach to more effectively validate rule behavior on this platform version.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[yuumasato]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node-rhcos10
/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-high-rhcos10

[openshift-merge-bot]

@yuumasato: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@yuumasato: requesting more than one rehearsal in one comment is not supported. If you would like to rehearse multiple specific jobs, please separate the job names by a space in a single command.

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss-node-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-cis-node-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-metal-ds-ipi-ovn-rhcos4-stig-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Anna-Koudelkova]

/pj-rehearse abort

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-metal-ds-ipi-ovn-rhcos4-stig-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml`:
- Line 902: Remove all instances of the `set -x` debug tracing command from the
test steps at lines 902, 932, and 991 in the YAML configuration. The `set -x`
command enables command tracing which increases log verbosity and exposes
sensitive runtime values in CI logs. Simply delete each `set -x` line while
preserving the remaining shell commands in those test steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a5ff9b46-1767-4ad6-8ea5-6d829e56db3c

📥 Commits

Reviewing files that changed from the base of the PR and between a223fde and 9164266.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove debug tracing (set -x) from these test steps.

This increases log verbosity and can expose sensitive runtime values in CI logs.

As per coding guidelines, “Be cautious with set -x … variable expansions in traced commands will expose their values in logs.”

Suggested patch

@@
-        set -x
         export PROFILE=bsi
@@
-        set -x
         export PROFILE=e8
@@
-        set -x
         export PROFILE=nerc-cip

Also applies to: 932-932, 991-991

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml`
at line 902, Remove all instances of the `set -x` debug tracing command from the
test steps at lines 902, 932, and 991 in the YAML configuration. The `set -x`
command enables command tracing which increases log verbosity and exposes
sensitive runtime values in CI logs. Simply delete each `set -x` line while
preserving the remaining shell commands in those test steps.

Source: Coding guidelines

[yuumasato]

Is this cluster profile expected or a copy pasta mistake?

[Anna-Koudelkova]

It is a copy and paste, but we are using it in downstream testing as well, so it was deliberate

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Anna-Koudelkova
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/ipi/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-commands.sh`:
- Around line 32-45: The key generation loop in ipi-conf-fips-sshkey-commands.sh
only blocks ed25519, so overridden values like dsa can still slip through and
produce weak non-FIPS keys. Update the SSH_KEY_TYPE_LIST handling in the key
generation logic to whitelist only the supported FIPS key types (for example
ecdsa and rsa) and reject anything else with a clear error before calling
ssh-keygen. While doing so, update the ssh-keygen invocation in the same loop to
build an argument array instead of concatenating an optional string, using the
key_type-specific options in a safe, explicit way.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9aff19c4-a9ac-4945-b3f6-05e18fd3c29f

📥 Commits

Reviewing files that changed from the base of the PR and between 72effa3 and 57b2af2.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (8)

• ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml
• ci-operator/step-registry/ipi/aws/pre/fips/OWNERS
• ci-operator/step-registry/ipi/aws/pre/fips/ipi-aws-pre-fips-chain.metadata.json
• ci-operator/step-registry/ipi/aws/pre/fips/ipi-aws-pre-fips-chain.yaml
• ci-operator/step-registry/ipi/conf/fips-sshkey/OWNERS
• ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-commands.sh
• ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-ref.metadata.json
• ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-ref.yaml

✅ Files skipped from review due to trivial changes (4)

• ci-operator/step-registry/ipi/aws/pre/fips/OWNERS
• ci-operator/step-registry/ipi/conf/fips-sshkey/OWNERS
• ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-ref.metadata.json
• ci-operator/step-registry/ipi/aws/pre/fips/ipi-aws-pre-fips-chain.metadata.json

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@Anna-Koudelkova: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-bsi-node-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-cis-node-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-high-node-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-nerc-cip-node-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss-node-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-stig-node-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-bsi-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-e8-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-high-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-moderate-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-nerc-cip-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-stig-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-metal-ds-ipi-ovn-rhcos4-stig-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-bsi	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-bsi-node	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-cis	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-cis-node	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-e8	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-high	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-high-node	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss-4-0	ComplianceAsCode/content	presubmit	Ci-operator config changed

A total of 43 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@Anna-Koudelkova: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/ComplianceAsCode/content/master/4.22-e2e-aws-ocp4-cis-node-rhcos10	fc672f8	link	unknown	/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-cis-node-rhcos10
ci/rehearse/ComplianceAsCode/content/master/4.22-e2e-aws-ocp4-pci-dss-node-rhcos10	fc672f8	link	unknown	/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss-node-rhcos10
ci/rehearse/ComplianceAsCode/content/master/4.22-e2e-aws-rhcos4-high-rhcos10	fc672f8	link	unknown	/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-high-rhcos10
ci/rehearse/ComplianceAsCode/content/master/4.22-e2e-metal-ds-ipi-ovn-rhcos4-stig-rhcos10	9164266	link	unknown	/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-metal-ds-ipi-ovn-rhcos4-stig-rhcos10
ci/rehearse/ComplianceAsCode/content/master/4.22-e2e-aws-ocp4-moderate-node-rhcos10	226fb7c	link	unknown	/pj-rehearse pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node-rhcos10

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.